xref: /xnu-11215.41.3/osfmk/corecrypto/ccgcm.c (revision 33de042d024d46de5ff4e89f2471de6608e37fa4)

/* Copyright (c) (2015-2019,2021,2022) Apple Inc. All rights reserved.
 *
 * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which
 * is contained in the License.txt file distributed with corecrypto) and only to
 * people who accept that license. IMPORTANT:  Any license rights granted to you by
 * Apple Inc. (if any) are limited to internal use within your organization only on
 * devices and computers you own or control, for the sole purpose of verifying the
 * security characteristics and correct functioning of the Apple Software.  You may
 * not, directly or indirectly, redistribute the Apple Software or any portions thereof.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#include "cc_internal.h"
#include "cc_macros.h"
#include "fipspost_trace.h"
#include "ccmode_gcm_internal.h"
#include <corecrypto/ccmode.h>

size_t
ccgcm_context_size(const struct ccmode_gcm *mode)
{
	CC_ENSURE_DIT_ENABLED

	return mode->size;
}

size_t
ccgcm_block_size(const struct ccmode_gcm *mode)
{
	CC_ENSURE_DIT_ENABLED

	return mode->block_size;
}

int
ccgcm_init(const struct ccmode_gcm *mode,
    ccgcm_ctx *ctx,
    size_t key_nbytes,
    const void *cc_sized_by(key_nbytes)key)
{
	CC_ENSURE_DIT_ENABLED

	return mode->init(mode, ctx, key_nbytes, key);
}

int
ccgcm_init_with_iv(const struct ccmode_gcm *mode, ccgcm_ctx *ctx,
    size_t key_nbytes, const void *key,
    const void *iv)
{
	CC_ENSURE_DIT_ENABLED

	int rc;

	rc = ccgcm_init(mode, ctx, key_nbytes, key);
	if (rc == 0) {
		rc = ccgcm_set_iv(mode, ctx, CCGCM_IV_NBYTES, iv);
	}
	if (rc == 0) {
		_CCMODE_GCM_KEY(ctx)->flags |= CCGCM_FLAGS_INIT_WITH_IV;
	}
	return rc;
}

int
ccgcm_set_iv(const struct ccmode_gcm *mode,
    ccgcm_ctx *ctx,
    size_t iv_nbytes,
    const void *cc_sized_by(iv_nbytes)iv)
{
	CC_ENSURE_DIT_ENABLED

	return mode->set_iv(ctx, iv_nbytes, iv);
}

int
ccgcm_inc_iv(CC_UNUSED const struct ccmode_gcm *mode, ccgcm_ctx *ctx, void *iv)
{
	CC_ENSURE_DIT_ENABLED

	uint8_t *Y0 = CCMODE_GCM_KEY_Y_0(ctx);

	cc_require(_CCMODE_GCM_KEY(ctx)->state == CCMODE_GCM_STATE_IV, errOut);
	cc_require(_CCMODE_GCM_KEY(ctx)->flags & CCGCM_FLAGS_INIT_WITH_IV, errOut);

	inc_uint(Y0 + 4, 8);
	cc_memcpy(iv, Y0, CCGCM_IV_NBYTES);
	cc_memcpy(CCMODE_GCM_KEY_Y(ctx), Y0, CCGCM_BLOCK_NBYTES);
	ccmode_gcm_update_pad(ctx);

	_CCMODE_GCM_KEY(ctx)->state = CCMODE_GCM_STATE_AAD;

	return 0;

errOut:
	return CCMODE_INVALID_CALL_SEQUENCE;
}

int
ccgcm_aad(const struct ccmode_gcm *mode,
    ccgcm_ctx *ctx,
    size_t nbytes,
    const void *cc_sized_by(nbytes)additional_data)
{
	CC_ENSURE_DIT_ENABLED

	return mode->gmac(ctx, nbytes, additional_data);
}

int
ccgcm_gmac(const struct ccmode_gcm *mode,
    ccgcm_ctx *ctx,
    size_t nbytes,
    const void *cc_sized_by(nbytes)in)
{
	CC_ENSURE_DIT_ENABLED

	return mode->gmac(ctx, nbytes, in);
}

int
ccgcm_update(const struct ccmode_gcm *mode,
    ccgcm_ctx *ctx,
    size_t nbytes,
    const void *cc_sized_by(nbytes)in,
    void *cc_sized_by(nbytes)out)
{
	CC_ENSURE_DIT_ENABLED

	return mode->gcm(ctx, nbytes, in, out);
}

int
ccgcm_finalize(const struct ccmode_gcm *mode,
    ccgcm_ctx *ctx,
    size_t tag_nbytes,
    void *cc_sized_by(tag_nbytes)tag)
{
	CC_ENSURE_DIT_ENABLED

	return mode->finalize(ctx, tag_nbytes, tag);
}

int
ccgcm_reset(const struct ccmode_gcm *mode, ccgcm_ctx *ctx)
{
	CC_ENSURE_DIT_ENABLED

	return mode->reset(ctx);
}

int
ccgcm_one_shot(const struct ccmode_gcm *mode,
    size_t key_nbytes, const void *key,
    size_t iv_nbytes, const void *iv,
    size_t adata_nbytes, const void *adata,
    size_t nbytes, const void *in, void *out,
    size_t tag_nbytes, void *tag)
{
	CC_ENSURE_DIT_ENABLED

	    FIPSPOST_TRACE_EVENT;

	int rc = 0;

	ccgcm_ctx_decl(mode->size, ctx);
	rc = ccgcm_init(mode, ctx, key_nbytes, key); cc_require(rc == 0, errOut);
	rc = ccgcm_set_iv(mode, ctx, iv_nbytes, iv); cc_require(rc == 0, errOut);
	rc = ccgcm_aad(mode, ctx, adata_nbytes, adata); cc_require(rc == 0, errOut);
	rc = ccgcm_update(mode, ctx, nbytes, in, out); cc_require(rc == 0, errOut);
	rc = ccgcm_finalize(mode, ctx, tag_nbytes, tag); cc_require(rc == 0, errOut);

errOut:
	ccgcm_ctx_clear(mode->size, ctx);
	return rc;
}


//ccgcm_one_shot_legacy() is created because in the previous implementation of aes-gcm
//set_iv() could be skipped.
//In the new version of aes-gcm set_iv() cannot be skipped and IV length cannot
//be zero, as specified in FIPS.
//do not call ccgcm_one_shot_legacy() in any new application
int
ccgcm_set_iv_legacy(const struct ccmode_gcm *mode, ccgcm_ctx *key, size_t iv_nbytes, const void *iv)
{
	CC_ENSURE_DIT_ENABLED

	int rc = -1;

	if (iv_nbytes == 0 || iv == NULL) {
		/* must be in IV state */
		cc_require(_CCMODE_GCM_KEY(key)->state == CCMODE_GCM_STATE_IV, errOut); /* CRYPT_INVALID_ARG */

		// this is the net effect of setting IV to the empty string
		cc_clear(CCGCM_BLOCK_NBYTES, CCMODE_GCM_KEY_Y(key));
		ccmode_gcm_update_pad(key);
		cc_clear(CCGCM_BLOCK_NBYTES, CCMODE_GCM_KEY_Y_0(key));

		_CCMODE_GCM_KEY(key)->state = CCMODE_GCM_STATE_AAD;
		rc = 0;
	} else {
		rc = ccgcm_set_iv(mode, key, iv_nbytes, iv);
	}

errOut:
	return rc;
}

int
ccgcm_one_shot_legacy(const struct ccmode_gcm *mode,
    size_t key_nbytes, const void *key,
    size_t iv_nbytes, const void *iv,
    size_t adata_nbytes, const void *adata,
    size_t nbytes, const void *in, void *out,
    size_t tag_nbytes, void *tag)
{
	CC_ENSURE_DIT_ENABLED

	int rc = 0;

	ccgcm_ctx_decl(mode->size, ctx);
	rc = ccgcm_init(mode, ctx, key_nbytes, key); cc_require(rc == 0, errOut);
	rc = ccgcm_set_iv_legacy(mode, ctx, iv_nbytes, iv); cc_require(rc == 0, errOut);
	rc = ccgcm_aad(mode, ctx, adata_nbytes, adata); cc_require(rc == 0, errOut);
	rc = ccgcm_update(mode, ctx, nbytes, in, out); cc_require(rc == 0, errOut);
	rc = ccgcm_finalize(mode, ctx, tag_nbytes, tag); cc_require(rc == 0, errOut);

errOut:
	ccgcm_ctx_clear(mode->size, ctx);
	return rc;
}

void
inc_uint(uint8_t *buf, size_t nbytes)
{
	for (size_t i = 1; i <= nbytes; i += 1) {
		size_t j = nbytes - i;
		buf[j] = (uint8_t)(buf[j] + 1);
		if (buf[j] > 0) {
			return;
		}
	}
}

void
ccmode_gcm_update_pad(ccgcm_ctx *key)
{
	inc_uint(CCMODE_GCM_KEY_Y(key) + 12, 4);
	CCMODE_GCM_KEY_ECB(key)->ecb(CCMODE_GCM_KEY_ECB_KEY(key), 1,
	    CCMODE_GCM_KEY_Y(key),
	    CCMODE_GCM_KEY_PAD(key));
}

void
ccmode_gcm_aad_finalize(ccgcm_ctx *key)
{
	if (_CCMODE_GCM_KEY(key)->state == CCMODE_GCM_STATE_AAD) {
		if (_CCMODE_GCM_KEY(key)->aad_nbytes % CCGCM_BLOCK_NBYTES > 0) {
			ccmode_gcm_mult_h(key, CCMODE_GCM_KEY_X(key));
		}
		_CCMODE_GCM_KEY(key)->state = CCMODE_GCM_STATE_TEXT;
	}
}